Replace cosign with sigstore-go

[rdimitrov]

The following PR removes the use of cosign in favour of sigstore-go through introducing the concept of artifact verifiers.

Details:

Abstracted the artifact verification to happen through a new Verifier type:

• Currently, there's sigstore, but the idea allows to easily add more verification backends for things like slsa, sbom, etc. through the ArtifactVerifier interface.
• Verifiers are intended to be configurable, i.e. specify a custom trusted root repository for sigstore.
• Easily add support for different types of artifacts. Currently, there's ArtifactTypeContainer but can be extended with artifacts like npm, etc.

Artifact version retention:

• We now skip storing versions that have no tags in them since we cannot do anything on them
• Changed the way we garbage collect artifact versions (so far anything older than 30days was deleted)
• Updated the retention period to 6 months OR if there are leftover versions without any tag values.
• Fixed a bug where the we were not getting all artifact versions - #1810

Other:

• Fixed a bug where the Rekor log index was stored in a int32 variable (it's a float64)
• Added an emptydir volume to our helm charts used for the TUF cache until sigstore-go has support for in-memory/no-cache mode. A unique tmp folder is created and deleted each time the verifier is instantiated to ensure we don't clash when scaling up/down.

What's left:

• Parse the verification result and populate all of the needed values for signature and workflow info.
• Update the artifact retention logic (do not store tag-empty artifacts, store tagged ones for more than 30 days, make sure we continue to handle the sig-before/after-artifact test case correctly)
• Figure out if I can make sigstore-go run in in-memory mode only (allow for read-only file system)

Parked:

• Sync with the sigstore-go community to figure out if the inclusionProof value from the bundle is needed when we do online verification. Update: The outcome is we should update eventually to v2 of the bundle format, but until that happens it's okay to use v1 (without the inclusionProof data) so we can migrate to v2 easily once this is cleared as a topic, i.e. we can fetch the rekor details from the OCI (waiting for support by cosign).

Fixes: #534
Fixes: #1810

[stacklokbot]

Minder analyzed this PR and found no vulnerable dependencies.

[stacklokbot]

Minder analyzed this PR and found no vulnerable dependencies.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[lukehinds]

I remember seeing this in cosign before, it requires an upgrade to v2.

[lukehinds]

Just a note for outside of this issue 'no patched version exists yet.' I wonder if we should remove 'requested changes' when this sort of situation plays out?

[rdimitrov]

That would be better 👍 Also it now added another comment when I pushed again.

[jhrozek]

Good idea, I filed #1860 so that we don't forget.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[rdimitrov]

I now realise this PR got stretched up with fixes for some other issues I found during this implementation, so I'd understand if this is blocking and you'd want me to split the changes into smaller standalone PRs.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[JAORMX]

awesome, thanks for doing this already!

[JAORMX]

We can leave this function as-is for now. But, how often would this happen? I'm concerned this all happens in one transaction which might lead to us not processing the entries at all due to some in-between conflicts/errors.

[rdimitrov]

I'm inclined to think this should be part of the processing, because if we had a conflict and we failed to fix it this means we cannot ensure that the profile evaluation afterwards for this artifact can be trusted.

[JAORMX]

Let's leave this here for now. But... just saying... this would be a handy variable for the library.

[rdimitrov]

Yeah, my intentions as well 👍

[JAORMX]

I'm not sure this is the right data type to use for a rekor log index. @lukehinds can you double check this? In the rekor OpenAP spec [1] I see instances of integer while the golang API uses int64 [2]. Finally, the Rekor protobuf seems to point to an int64 as a log index [3]

[1] https://github.com/sigstore/rekor/blob/main/openapi.yaml#L184-L189
[2] https://github.com/sigstore/rekor/blob/main/pkg/api/api.go#L63
[3] https://github.com/sigstore/protobuf-specs/blob/main/protos/sigstore_rekor.proto#L94

[lukehinds]

I think int64 is the right choice.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[JAORMX]

@rdimitrov I'd advise you to squash the commits in this PR. It might start getting hard rebasing in the near future.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[rdimitrov]

@rdimitrov I'd advise you to squash the commits in this PR. It might start getting hard rebasing in the near future.

Done! 👍

[stacklokbot]

Minder found vulnerable dependencies in this PR. Either push an updated
version or accept the proposed changes. Note that accepting the changes will
include Minder as a co-author of this PR.

[stacklokbot]

Vulnerability found, but no patched version exists yet.

[lukehinds]

Might not be relevant, but do we need to be careful of tmp being world readable/writable?

[JAORMX]

@lukehinds this is an emptyDir volume and does not use the host's /tmp directory. I think this is fine as it's a dedicated folder for Minder and there's nothing else using it.

dismissing stacklokbot's review as it's not actionable